search for: sasl_mech

Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMe...

...d another set of eyes to look at it (of course dovecot.conf should also be correct, but one thing at a time). Here's my dovecot-ldap.conf file: hosts = 192.168.0.240 #uris = dn = cn=<BINDUSER>,ou=IT,ou=Central Office,dc=<DOMAIN>,dc=local dnpass = <>PASSWORD #sasl_bind = no #sasl_mech = #sasl_realm = #sasl_authz_id = auth_bind = yes #auth_bind_userdn = ldap_version = 3 base = dc=<DOMAIN>, dc=local deref = never scope = subtree #user_filter = (&(objectClass=posixAccount)(uid=%u)) #pass_attrs = uid=user,userPassword=password #pass_attrs = uid=user,userPassword=password,h...

Hi, I am trying to configure the nslcd service on an Ubuntu client for kerberos authentication against samba4. My /etc/nslcd.conf contains the following: uid nslcd gid nslcd uri ldapi:///cofil01.mydomain.net base dc=mydomain,dc=net sasl_mech GSSAPI krb5_ccname FILE:/tmp/host.tkt I have added the host principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" to /etc/krb5.keytab on both the samba4 server and the client by using ktutil. I have confirmed that the principals exist on both machines by using klist -ke /etc/krb5.keyt...

...cache: FILE:/tmp/dovecot.krb5.ccache)) I have set the import_environment in dovecot.conf: import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache And these in LDAP configuration: dn = imap/host.example.com at EXAMPLE.COM sasl_bind = yes sasl_mech = gssapi sasl_realm = EXAMPLE.COM sasl_authz_id = imap/host.example.com at EXAMPLE.COM I have tried with different values in dn and sasl_authz_id and also leaving them out completely but I always end up with the error message above. Using simple bind without GSSAPI works just fine. The credenti...

...aving. Samba 4 has recently changed to require binds. I need LDAP to verify users exist. I am using Kerberos (GSSAPI) as the passdb. Samba can handle GSSAPI/Kerberos SASL binds. I have the following in my dovecot-ldap setup for userdb: dn = smtp/mailhost.example.org at EXAMPLE.ORG sasl_bind = yes sasl_mech = GSSAPI sasl_realm = EXAMPLE.ORG sasl_authz_id = smtp/mailhost.example.org at EXAMPLE.ORG Which gives me the following error. Debug: ldap(trever): user search: base=dc=example,dc=org scope=subtree filter=(&(objectClass=person)(|(mail=trever)(sAMAccountName=trever)(userPrincipalName=trever))...

> On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> wrote: > > > The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). > sasl_bind = yes > sasl_mech = gssapi > tls = yes > > Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ > > With `...

...ovecot.conf: >> >> import_environment = TZ CORE_OUTOFMEM CORE_ERROR LISTEN_PID LISTEN_FDS >> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >> >> And these in LDAP configuration: >> >> dn = imap/host.example.com at EXAMPLE.COM >> sasl_bind = yes >> sasl_mech = gssapi >> sasl_realm = EXAMPLE.COM >> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >> >> I have tried with different values in dn and sasl_authz_id and also >> leaving them out completely but I always end up with the error message >> above. Using simpl...

...EP is fine too. In fact ldap even asks for available SASL mechanisms. After some negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this successfully established encrypted bind it keeps querying in plain text. Is there anything I can do about it? For testing purposes I set "sasl_mech gssapi" in my ldap.conf but that didn't have any impact at all. regards, Roman

...at open-xchange.com> wrote: > > On 15/08/2019 00:34 Eugene via dovecot <dovecot at dovecot.org> > wrote: The next combination of parameters makes 100% LDAP > connections unsuccessful (the log snippet form the previous > mail). sasl_bind = yes sasl_mech = gssapi tls = yes Looks like > this combination is utterly incorrect and should be prohibited > (tls must not be used when mech is gssapi). > https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/...

Hello! Dovecot uses it's own SASL implementation, doesn't it? Aug 14 23:45:23 example.com auth[10428]: GSSAPI client step 1 Aug 14 23:45:23 example.com auth[10428]: encoded packet size too big (813804546 > 65536) Aug 14 23:45:23 example.com dovecot[10085]: auth-worker(10428): Error: LDAP: Can't connect to server: ldap://ipa2.example.com Aug 14 23:45:23 example.com

..._ERROR LISTEN_PID >>>> LISTEN_FDS >>>> KRB5CCNAME=FILE:/tmp/dovecot.krb5.ccache >>>> >>>> And these in LDAP configuration: >>>> >>>> dn = imap/host.example.com at EXAMPLE.COM >>>> sasl_bind = yes >>>> sasl_mech = gssapi >>>> sasl_realm = EXAMPLE.COM >>>> sasl_authz_id = imap/host.example.com at EXAMPLE.COM >>>> >>>> I have tried with different values in dn and sasl_authz_id and also >>>> leaving them out completely but I always end up with the e...

...userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group uniqueMember member #map group gidNumber gid #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Thanks Steve

...------------- #Servidor hosts = gold.example.com extra.example.com tls = yes ldap_version = 3 base = ou=people,dc=example,dc=com scope = onelevel #uid/gid user_global_uid = 5000 user_global_gid = 5000 #Bind para ler coisas dn = cn=dovecot,ou=people,dc=example,dc=com dnpass = secret sasl_bind = no sasl_mech = #passdb: usar password lookups para autenticar utilizadores auth_bind = no pass_attrs = userPassword=password #, =userdb_home=/home/vmail/%d/%n pass_filter = (&(maildrop=%u)(mailacceptinguser=1)) default_pass_scheme = PLAIN-MD5 ---------------------------------------------------------...

Hi! Running Dovecot 2.2.36 and authenticating against an OpenLDAP 2.4.45 server. Now since some update of dovecot it will not be able to authenticate your logins after a restart of the LDAP service is restarted without a reboot of the dovecot server. Anything new here that I should be aware of? Best Regards Dag

...or can cause errors and can/must be removed) map passwd uid sAMAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID map group member member # Kerberos #sasl_mech GSSAPI #sasl_realm CORP.OFLAMEO.COM #krb5_ccname /tmp/nslcd.tkt # The LDAP protocol version to use. #ldap_version 3 # LDAP bind (Account in AD that is used from nslcd to bind to the directory) binddn cn=ldap-connect,cn=Users,dc=corp,dc=oflameo,dc=com bindpw icanread33# # The DN used for password...

...red nslcd: grep ^[^#] /etc/nslcd.conf -> uid nslcd gid nslcd uri ldap://serveur.radiodjiido.nc base DC=radiodjiido,DC=nc map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID sasl_mech GSSAPI sasl_realm RADIODJIIDO.NC krb5_ccname /tmp/nslcd.tkt checking that k5start is well running: ps ax | grep k5 -> 2956 pts/1 T 0:00 sudo k5start -f /etc/krb5.nslcd.keytab -U -o nslcd -K 540 -k /tmp/nslcd.tkt klist -> Ticket cache: FILE:/tmp/krb5cc_1000_mx2700 Default principal:...

The next combination of parameters makes 100% LDAP connections unsuccessful (the log snippet form the previous mail). sasl_bind = yes sasl_mech = gssapi tls = yes Looks like this combination is utterly incorrect and should be prohibited (tls must not be used when mech is gssapi). https://lists.fedorahosted.org/archives/list/sssd-users at lists.fedorahosted.org/message/G7S2TOFDCM62ZUHIBWYVZIEVYXO3KYAI/ With `tls = no` errors `encoded pack...

...: /etc/dovecot-ldap.conf userdb: driver: passwd socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: _postfix group: _postfix /etc/dovecot-ldap.conf hosts = xxx.xxx.xxx.xxx:389 #uris = #dn = #dnpass = #sasl_bind = no #sasl_mech = #sasl_realm = #sasl_authz_id = #tls = no auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=koelewijn,dc=bz #ldap_version = 2 base = dc=bz #deref = never #scope = subtree #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid #user_filter = (&(objectClass=posixAccount)(uid=%u)) #pass_...

..._wrap open of secrets.ldb GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2 The call is from here: base dc=hh3,dc=site map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 There is a ticket cache in /tmp/krb5cc_0 A conventional bind works fine. Thanks, Steve

...or userdb {} section in # conf.d/auth-ldap.conf.ext # Space separated list of LDAP hosts to use. host:port is allowed too. #hosts = ldap.sv.hm #uris = ldaps://ldap.sv.hm:636/ uris = ldap://ldap.sv.hm:389/ dn = cn=dovecot,ou=bindusers,dc=smuy,dc=net dnpass = 1qaz2wsx #sasl_bind = no #sasl_mech = #sasl_realm = #sasl_authz_id = # Use TLS to connect to the LDAP server. tls = yes #tls = no tls_ca_cert_file = /etc/ssl/certs/ca/signing-ca.crt tls_ca_cert_dir = /etc/ssl/certs/ca #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. #tls_cert_...